ABSTRACT
Return-Oriented Programming (ROP) has emerged as one of the most widely used techniques to exploit software vulnerabilities. Unfortunately, existing ROP protections suffer from a number of shortcomings: they require access to source code and compiler support, focus on specific types of gadgets, depend on accurate disassembly and construction of Control Flow Graphs, or use hardware-dependent (microarchitectural) characteristics. In this paper, we propose EigenROP, a novel system to detect ROP payloads based on unsupervised statistical learning of program characteristics. We study, for the first time, the feasibility and effectiveness of using microarchitecture-independent program characteristics -- namely, memory locality, register traffic, and memory reuse distance -- for detecting ROP. We propose a novel directional statistics based algorithm to identify deviations from the expected program characteristics during execution. EigenROP works transparently to the protected program, without requiring debug information, source code or disassembly. We implemented a dynamic instrumentation prototype of EigenROP using Intel Pin and measured it against in-the-wild ROP exploits and on payloads generated by the ROP compiler ROPC. Overall, EigenROP achieved significantly higher accuracy than prior anomaly-based solutions. It detected the execution of the ROP gadget chains with 81% accuracy, 80% true positive rate, only 0.8% false positive rate, and incurred comparable overhead to similar Pin-based solutions.
- Ropc. https://github.com/pakt/ropc.Google Scholar
- Scikit. http://scikit-learn.org/stable/.Google Scholar
- Applications, tools and techniques on the road to exascale computing. In K. de Bosschere et al., editors, Advances in Parallel Computing, volume 22. 2012.Google Scholar
- T. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang. Jump-oriented programming: a new class of code-reuse attack. In 6th ASIACCS. ACM, 2011. Google ScholarDigital Library
- N. Carlini and D. Wagner. Rop is still dangerous: Breaking modern defenses. In USENIX Security, 2014. Google ScholarDigital Library
- Y. Cheng et al. Ropecker: A generic and practical approach for defending against rop attack. In NDSS, 2014.Google ScholarCross Ref
- L. Davi, A.-R. Sadeghi, and M. Winandy. Ropdefender: A detection tool to defend against return-oriented programming attacks. In 6th ASIACCS. ACM, 2011. Google ScholarDigital Library
- J. Demme and others. On the feasibility of online malware detection with performance counters. Computer Architecture News, 41(3), 2013. Google ScholarDigital Library
- I. Fratric. Ropguard: Runtime prevention of return-oriented programming attacks, 2012.Google Scholar
- K. Hoste and L. Eeckhout. Comparing benchmarks using key microarch.-independent characteristics. In Workload Characterization. IEEE, 2006.Google Scholar
- K. Hoste and L. Eeckhout. Microarchitecture-independent workload characterization. IEEE Micro, 3, 2007. Google ScholarDigital Library
- E. R. Jacobson and others. Detecting code reuse attacks with a model of conformant program execution. In Engineering Secure Software and Systems. Springer, 2014. Google ScholarDigital Library
- C.-K. Luk et al. Building customized program analysis tools with dynamic instrumentation. In PLDI, 2005. Google ScholarDigital Library
- C. Malone, M. Zahran, and R. Karri. Are hardware performance counters a cost effective way for integrity checking of programs. In 6th ACM workshop on Scalable Trusted Computing, 2011. Google ScholarDigital Library
- V. Pappas, M. Polychronakis, and A. D. Keromytis. Transparent rop exploit mitigation using indirect branch tracing. In USENIX Security, 2013. Google ScholarDigital Library
- D. Pfaff et al. Learning how to prevent return-oriented programming efficiently. In Engineering Secure Software and Systems. Springer, 2015.Google ScholarCross Ref
- B. Scholkopf, A. Smola, and K.-R. Muller. Kernel principal component analysis. In Artificial Neural Networks - ICANN, pages 583--588. Springer, 1997. Google ScholarDigital Library
- F. Schuster et al. Counterfeit object-oriented programming: On the difficulty of preventing code reuse attacks in c++ applications. In Security & Privacy. IEEE, 2015. Google ScholarDigital Library
- H. Shacham. The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In 14th CCS. ACM, 2007. Google ScholarDigital Library
- C. Smutz and A. Stavrou. When a tree falls: Using diversity in ensemble classifiers to identify evasion in malware detectors. In NDSS, 2016.Google ScholarCross Ref
- P. Stewin. A primitive for revealing stealthy peripheral-based attacks on the computing platform's main memory. In RAID. Springer, 2013. Google ScholarDigital Library
- A. Tang, S. Sethumadhavan, and S. J. Stolfo. Unsupervised anomaly-based malware detection using hardware features. In RAID. Springer, 2014.Google ScholarCross Ref
- M. Tran et al. On the expressiveness of return-into-libc attacks. In RAID. Springer, 2011. Google ScholarDigital Library
- K. Wang, J. J. Parekh, and S. J. Stolfo. Anagram: A content anomaly detector resistant to mimicry attack. In RAID. Springer, 2006. Google ScholarDigital Library
Index Terms
- Detecting ROP with Statistical Learning of Program Characteristics
Recommendations
ROP Defense in the Cloud through LIve Text Page-level Re-ordering
CLOSER 2017: Proceedings of the 7th International Conference on Cloud Computing and Services ScienceAs cloud computing environments move towards securing against simplistic threats, adversaries are moving towards more sophisticated attacks such as ROP (Return Oriented Programming). In this paper we propose the LIve Text Page-level Re-ordering (LITPR) ...
ROP-Hunt: Detecting Return-Oriented Programming Attacks in Applications
Security, Privacy, and Anonymity in Computation, Communication, and StorageAbstractReturn-oriented Programming (ROP) is a new exploitation technique that can perform arbitrary unintended operations by constructing a gadget chain reusing existing small code sequences. Although many defense mechanisms have been proposed, some new ...
Marlin: Mitigating Code Reuse Attacks Using Code Randomization
Code-reuse attacks, such as return-oriented programming (ROP), are a class of buffer overflow attacks that repurpose existing executable code towards malicious purposes. These attacks bypass defenses against code injection attacks by chaining together ...
Comments